Thanks Ron. I don't know whether you all noticed that this vulnerability article was written by the same person who wrote the recent vulnerability article about Samsung Magician (post by Ron here): Will Dormann of the CERT/CC. Now those two reported vulnerabilities are not the same. But I hope that Will Dormann will continue to look at more programs and how secure they update themselves. I could think of some...
Hi all, My name is Katya, VP of communications at Acronis. Here is our official comment about it: Acronis is aware of a minor security issue related to Acronis True Image (versions 2017 Build 8053 and earlier) that was reported by our colleagues at CERT Coordination Center (CERT/CC) at Carnegie Mellon University's Software Engineering Institute. We immediately fixed the vulnerability, prepared a patch for our newest update, and are currently notifying users of the issue. While the threat to users is considered low-risk since multiple, rare occurrences would need to happen in order for someone to exploit the vulnerability, we are urging all Acronis True Image customers to apply the patch by opening the application and selecting “Check for Updates.” Acronis takes data protection very seriously, which is why we have acted so quickly to respond to this threat. We will examine this incident further to ensure no similar vulnerabilities exist in our products.
Has Acronis patched the vulnerability in the pipes upstream of the client so that downloading the patch will be done through a newly secured line or is installation of the patch required to fully secure the internal download process? If the latter, hawki questions the wisdom of encouraging all to download the patch through the internal update process which is what your statement seems to imply. Sorry, but hawki is not what one would consider an Acronis fanboi atm: https://www.wilderssecurity.com/threads/bork-tuesday-any-problems-yet.370217/page-126#post-2686661
